Do you use let's encrypt?

Many protocols today allow you to upgrade to TLS from within a cleartext version of the protocol. This often falls under the rubric of "STARTTLS", though different protocols have different ways of doing it.

I often forget the exact steps, and when i'm debugging a TLS connection (e.g. with tools like gnutls-cli) i need to poke a remote peer into being ready for a TLS handshake. So i'm noting the different mechanisms here. lines starting with C: are from the client, lines starting with S: are from the server.

many of these are (roughly) built into openssl s_client, using the -starttls option. Sometimes this doesn't work because the handshake needs tuning for a given server; other times you want to do this with a different TLS library. To use the techniques below with gnutls-cli from the gnutls-bin package, just provide the --starttls argument (and the appropriate --port XXX argument), and then hit Ctrl+D when you think it's ok to start the TLS negotiation.

POP

XMPP

The polite XMPP handshake (on port 5222 for client-to-server, or port 5269 for server-to-server) that negiotiates a TLS upgrade looks something like (note that the domain requested needs to be the right one):

Then, the server should send an extended response with resultcode == 0, and empty matchedDN and errorMessage fields. This means you can then start the TLS handshake.

Since the LDAP protocol is not a text protocol, you can't easily use gnutls-cli's trick to make it start the handshake at the right moment, which is too bad.
I'm wondering, though, if it could still be achieved by hooking up a script to gnutls-cli's stdin/out that blurts out the expected numerical packet structure, then verifies that it gets the correct answer and sends a signal to the gnutls-cli's process.

Sieve is another text protocol that uses STARTTLS for initiating encrypted connexions.

You can use gnutls-cli --starttls -p 4190 your.mailserver.tld to connect to the sieve service, then type STARTTLS and the server should answer OK "Begin TLS negotiation now." and then you can hit Ctrl-D to start the TLS handshake.

For further testing the service, you can start by logging in with:

AUTHENTICATE "PLAIN" ""

Here the string before it is encoded to base64 should be \0username\0password. You can obtain the encoded string that you'll use in the command above by issuing this command:

printf "\0joebob@example.com\0ilovemycat33" | base64

Once logged in you can try to list scripts for the account and get their contents: